Why this module exists. AdminSDHolder is one of the cleanest persistence primitives in AD because it abuses a feature, not a bug. Microsoft built SDProp to protect privileged accounts from accidental ACL drift. Attackers turned that protection into a self-healing backdoor. If you have ever seen an environment where the IR team cleaned up the Domain Admins ACL, came back the next morning, and the backdoor was back — you have seen SDProp doing the attacker’s work.
What AdminSDHolder actually is
AdminSDHolder lives in CN=AdminSDHolder,CN=System,DC=corp,DC=local. It is not a user, group, or container in the normal sense — it is an ACL template. Every 60 minutes (configurable via AdminSDProtectFrequency), the SDProp thread on the PDC Emulator walks the protected-group list, finds every direct and transitive member, and overwrites their nTSecurityDescriptor with a copy of AdminSDHolder’s ACL. The adminCount attribute on each member is set to 1 as a marker that they are under SDProp’s control.
The protected-group list is hard-coded into the OS:
- Domain Admins, Enterprise Admins, Schema Admins
- Administrators (the built-in group), Backup Operators, Server Operators, Account Operators, Print Operators
- Domain Controllers, Read-only Domain Controllers
- Replicator, Cert Publishers (in some versions)
- krbtgt and the built-in Administrator
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.